RE: telnet vs ssh on Core equipment , looking for reasons why ?
From: Charles Sprickman [mailto:spork@inch.com] Sent: Tuesday, July 31, 2001 9:41 AM
6) Finding a unix ssh that supports 3DES and DES.
I curse those OpenSSH folks for making me have to trudge through the code to find out how to get DES working...
6a) Finding a release on CCO that supports 3DES.
You are probably aware, but EFF published the DES crack. I understand that it is now an issue of cracking DES in less than 12 hours. 3DES is better but it only amounts to DES with a 128-bit key. Definitely a limited shelf-live.
----- Original Message ----- From: "Roeland Meyer" <rmeyer@mhsc.com> To: "'Charles Sprickman'" <spork@inch.com>; "Jared Mauch" <jared@puck.Nether.net> Cc: "Mr. James W. Laferriere" <babydr@baby-dragons.com>; <nanog@merit.edu> Sent: Tuesday, July 31, 2001 5:59 PM Subject: RE: telnet vs ssh on Core equipment , looking for reasons why ?
From: Charles Sprickman [mailto:spork@inch.com] Sent: Tuesday, July 31, 2001 9:41 AM
6) Finding a unix ssh that supports 3DES and DES.
I curse those OpenSSH folks for making me have to trudge through the code to find out how to get DES working...
6a) Finding a release on CCO that supports 3DES.
You are probably aware, but EFF published the DES crack. I understand that it is now an issue of cracking DES in less than 12 hours. 3DES is better but it only amounts to DES with a 128-bit key.
Definitely a limited shelf-live.
I don't see why we even need to discuss some of these issues to this length. Telnet = Bad = Plain Text SSH = Better = Some Sort of Encryption (A Decoder Ring is Still better than plain text)
On Tue, 31 Jul 2001 14:59:25 PDT, Roeland Meyer said:
You are probably aware, but EFF published the DES crack. I understand that it is now an issue of cracking DES in less than 12 hours. 3DES is better but it only amounts to DES with a 128-bit key.
Actually, 3DES has a 112 bit effective key. However, although that's only double the key length, the *difficulty* is a bit more than twice as much. Assuming a brute-force of a 56-bit key in 12 hours, then a 112 bit key will take (given the same resources) 2**56 * 12 hours, which is about 864,691,128,455,135,232 hours which works out to 98,709,032,928,668 years, which is about 4,000 times the current estimated age of the universe. This analysis of course assumes that the EFF crack is a brute-force, and not a result of differential cryptanalysis or exploitation of a flaw in the DES S-boxes or similar. Schneier's 'Applied Cryptography' lists an attack that's around 2**47 rather than 2**56, assuming you can get the victim to encrypt several gigabytes of text of your choosing with his key.... -- Valdis Kletnieks Operating Systems Analyst Virginia Tech
On Tue, 31 Jul 2001, Roeland Meyer wrote:
You are probably aware, but EFF published the DES crack. I understand that it is now an issue of cracking DES in less than 12 hours. 3DES is better but it only amounts to DES with a 128-bit key.
Definitely a limited shelf-live.
2^128/2^56 * 12hrs = 6.46 * 10^18 years I take it that you plan on living a lot longer then I do?
You are forgetting about the people who build hardware just to crack this. I think the important thing here is to use good security practices when connecting to your routers/equipment. The second thing that is even *more* important is insuring that your vendor makes it easy to access images that can use secure connection methods. - Jared On Wed, Aug 01, 2001 at 08:15:47AM -0400, Greg Maxwell wrote:
On Tue, 31 Jul 2001, Roeland Meyer wrote:
You are probably aware, but EFF published the DES crack. I understand that it is now an issue of cracking DES in less than 12 hours. 3DES is better but it only amounts to DES with a 128-bit key.
Definitely a limited shelf-live.
2^128/2^56 * 12hrs = 6.46 * 10^18 years
I take it that you plan on living a lot longer then I do?
-- Jared Mauch | pgp key available via finger from jared@puck.nether.net clue++; | http://puck.nether.net/~jared/ My statements are only mine.
You are forgetting about the people who build hardware just to crack this. No, not really. for each bit of length you add to the key, you double either
the (average) time or the amount of hardware needed to crack it. as the pool of hardware gets larger, the storage, communications and power requirements grow in proportion - rapidly leaving only the time component to increase. assuming you could build a machine 256 times the parallel processing power of the des cracker, that still only shaves 8 bits off the keylength - and of course the 56bit cracking machine was only capable of testing 56 bit keys - so a larger gate array design would be needed further increasing the number of chips or power of chips needed per parellel testing unit. I am sure if the NSA had built a city the size of new york as one big computer, with power stations and staff, just so they can crack *a* key within the lifetime of its user, someone would have noticed...
participants (6)
-
David Howe
-
Greg Maxwell
-
Jared Mauch
-
Roeland Meyer
-
Valdis.Kletnieks@vt.edu
-
Wojtek Zlobicki